---
slug: /api/secrets
---
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

# Secrets

Dagger has first-class support for "secrets", such as passwords, API keys, SSH keys and so on. These secrets can be securely used in Dagger functions without exposing them in plaintext logs, writing them into the filesystem of containers you're building, or inserting them into the cache.

Here is an example, which uses a secret in a Dagger function chain:

<Tabs groupId="language">
<TabItem value="Dagger CLI">
```shell
export API_TOKEN="guessme"

dagger core container \
  from --address=alpine:latest \
  with-secret-variable --name="MY_SECRET" --secret="env://API_TOKEN" \
  with-exec --args="sh","-c",'echo this is the secret: $MY_SECRET' \
  stdout
```
</TabItem>
<TabItem value="Go">
```go file=./snippets/secrets/go/main.go
```
</TabItem>
<TabItem value="Python">
```python file=./snippets/secrets/python/main.py
```
</TabItem>
<TabItem value="TypeScript">
```typescript file=./snippets/secrets/typescript/index.ts
```
</TabItem>
</Tabs>

[Secret arguments](./arguments.mdx#secret-arguments) can be sourced from multiple providers: the host environment, the host filesystem, the result of host command execution, and external secret managers [1Password](https://1password.com/) and [Vault](https://www.hashicorp.com/products/vault).

## Security considerations

- Dagger automatically scrubs secrets from its various logs and output streams. This ensures that sensitive data does not leak - for example, in the event of a crash.
- Secret plaintext should be handled securely within your Dagger pipeline. For example, you should not write secret plaintext to a file, as it could then be stored in the Dagger cache.
